Clearly, the highly publicized mistakes and the correlating high dollar settlements made by countless companies like Enron and Chevron have opened employers' eyes to this sleeping giant of liability in the e-communications world. Few are willing to take a passive approach when it comes to protections against these risks.
From ensuring compliance with regulatory issues to guarding against loss of data, proprietary information and productivity, e-policy development is essential to good business. Companies understand that while eliminating all e-risk is impossible, it must be minimized. But an overwhelming number of businesses share a serious chink in their armor and are needlessly exposing themselves.
E-Policy Education is Crucial
With better than 80 per cent of companies having a written policy covering the use of email and the internet, it is baffling that only 24 per cent of businesses report educating employees regarding email use, risks and responsibilities (Source: AMA Electronic Policies and Practices Survey). The case for e-policy education becomes even stronger when you consider 10 per cent of companies report being ordered to turn over email records in workplace lawsuits and the number is growing rapidly.
Laws are Always Changing
Laws and regulations are constantly being revised and reinterpreted. Certain laws and regulations require specific e-communications be retained as business records and can be subpoenaed in legal actions. If this information has been deleted in the absence of written e-policy and employee education, businesses can be held accountable for the destruction of key evidence. Employers must take the responsibility to teach employees which email is valuable based on its content and context. Otherwise employees may keep everything - a waste of resources and storage space - or accidentally destroy important documents. This all or nothing approach is far from ideal. With training, employees can learn which email is valuable and which is not. In addition to meeting the letter of the law, retention and disposal education keeps costs related to data storage and management in check.
Technology and e-policy are constantly changing. As e-policy evolves, so must education. Investing in technology to improve business without the training to maximize effectiveness and minimize against risk is a waste of money. No matter how technology advances, and no matter how quickly your IT department upgrades and implements, they alone cannot fully protect your organization. Without a comprehensive understanding of technology, the environment is ripe for misuse - intentional or not.
Written policy alone cannot protect employers from risk. No matter how comprehensive the e-policy, if employees don't know the details and rationale and take it to heart, compliance will not be at an optimum level. Without education, organizations remain vulnerable to the risks that motivated the original development of an e-policy. Written policy, coupled with understanding of key technical and legal ramifications through education and training is the only comprehensive approach to successfully battle e-risks.
Organizations Need to Implement the Three EsTo ensure that ePolicies work for an organization, it is important that the following steps are taken:
· Establish a Policy-The first step in stemming the tide of email-related lawsuits is to establish a sound Internet use policy in which employees acknowledge that the Web and email system belongs to the company and that messages may be monitored. A policy not only alerts employees to concerns of organizational liability, but may also be used as evidence of supporting a healthy work environment.
· Educate Employees-If employees aren't informed about how to use email and Web properly, they probably won't. The end result then is potential legal liability and loss of both network and employee productivity-both affect an organization's bottom line.
· Enforce Policy- If an employee ignores the company policy and sends an email containing the kind of language that can be construed as harassment or discrimination, or if an email contains a threat to the network like a virus or malicious code, the email must be stopped before harm is done. Additionally, if emails are destroyed and retention policies ignored, the company and/or the individual can be held responsible for the inappropriate actions.
Employees Must Understand the consequences of Email AbuseWhile employees may be important assets to organizations, they are also the weakest link when it comes to electronic security. Employees need to understand that while highly convenient, email use can expose companies to legal liability, lost of proprietary information, loss of network productivity and loss of employee productivity. Organizations must make sure their employees know their rights and responsibilities when using electronic communication in the business environment.
Policies are only as good as employees' adherence to them. For optimal compliance, employees need to know the rules and how to comply with them and what the consequences of non-compliance are. Ownership of policy is key to compliance. The more employees feel a part of the process and that e-policy is a top priority, the more likely they are to adhere to it. E-policy must be communicated through every level of an organization and done on an on-going basis. Effective communication of the policy needs to travel through a variety of mediums and cannot rely on email alone. Department and company wide meetings and trainings, inclusions in new hire orientations and employee handbooks as well as email updates are essential to a comprehensive communication plan of the policy.
Compliance has key business benefits - reduced liability, increased productivity, communication is faster and cost efficient, bandwidth is maximized, and security is increased. 90% of employees report surfing the web at work. (Source: AMA Electronic Polices and Procedures Survey). Provide employees with written and signed copies of the organizations policies and make sure their expectation of privacy is in line with employers monitoring rights.
Not only is education good business practice, corporations have a social responsibility to protect their employees. This means organizations must keep their employees safe from harassment and must ensure their environment is not hostile in any way lest they face litigation or loss of reputation. Regulations can hold organizations responsible for individuals' acts - knowingly or not - under vicarious liability - the standard that not knowing unacceptable activity was being undertaken is not a sufficient defense. Formation of good policy, supported by training may form a solid defense for organizations facing harassment claims.
From the Boardroom on down, all employees are prone to human error. And when it comes to e-policy, examples of poor judgment and policy ignorance and the associated cost and consequences of such actions are endless. In a world where the stakes are multi-million dollar defenses and settlements, making the grade when it comes to compliance can't be left to chance. The human factor will always be present in e-security. A proactive approach to e-policy education can strengthen your defenses and keep your organizations e-policy at the top of the class.The author is CEO of Clearswift.